revoking with serial revokes also younger certs

Damien Miller djm at
Tue Sep 17 10:02:56 AEST 2019

On Mon, 16 Sep 2019, Jakob Schürz wrote:

> Hi Daminan!
> Hmmm... thought about a little...
> when i use -vvv with ssh-keygen -Qf i see "debug1:..." So i think, debug
> is compiled in.

debugging is compiled in generally, but the the recipe I mentioned turns
on extra KRL debugging.

> ssh-keygen --help gives me
> ssh-keygen -k -f krl_file [-u] [-s ca_public] [-z version_number] file ...
> so... option -z is not the serial of the certificate, it is the
> version-number of the KRL-File...

oops, yes.

> My openssh-Verision from Debian is 1:7.4p1-10+deb9u7. Maybe, this
> openssh-version does not support revoking a certificate by it's
> serialnumber.

It almost certainly does, but you'd need to use a KRL specification file.
See the "KEY REVOCATION LISTS" section in the ssh-keygen manpage.

> This leads me to the next question... The serial-number of
> a certificate is uniq over all certificates, or is it allowed, to
> increment serial-numbers for each certificate separate? How is the design?

what goes in the serial number is totally up to the CA. OpenSSH doesn't
make any authentication decisions based on it - it's in the certificate
mostly to allow very compact revocation lists.


More information about the openssh-unix-dev mailing list